Package: axis X-Debbugs-CC: t...@security.debian.org Tags: security Hi,
The following vulnerability was published for axis. CVE-2019-0227[0]: | A Server Side Request Forgery (SSRF) vulnerability affected the Apache | Axis 1.4 distribution that was last released in 2006. Security and bug | commits commits continue in the projects Axis 1.x Subversion | repository, legacy users are encouraged to build from source. The | successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not | vulnerable to this issue. The vulnerable 'StockQuoteService.jws' is not present in Debian binary packages, however a SSRF mitigation was also committed [1]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-0227 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0227 [1] https://github.com/apache/axis1-java/commit/35511b872a6460129cfc0cd35baaccbd820977b5 Cheers! Sylvain Beucler Debian LTS Team